News Archives

Thursday, February 11, 2016

CNIL Gives Facebook Three Months to Obey DP Law

Following onsite and online investigations, the French data protection authority, the CNIL, issued a formal notice on February 8 giving Facebook three months to stop violating the fundamental rights and interests of its users. Should Facebook fail to comply within the time limit, the CNIL will begin the process of imposing sanctions on the company. Quoting from its notice, Facebook has violated the French Data Protection Act in the following five ways:

FACEBOOK collects, without prior information, data concerning the browsing activity of Internet users who do not have a FACEBOOK account. Indeed, the company does not inform Internet users that it sets a cookie on their terminal when they visit a FACEBOOK public page (e.g. page of a public event or of a friend). This cookie transmits to FACEBOOK information relating to third-party websites offering FACEBOOK plug-ins (e.g. Like button) that are visited by Internet users.

The social network collects data concerning the sexual orientation and the religious and political views without the explicit consent of account holders. In addition, Internet users are not informed on the sign up form with regard to their rights and the processing of their personal data.

The website also sets cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users.

FACEBOOK compiles all the information it has on account holders to display targeted advertising (information provided by the Internet users themselves, collected by the website and by other companies of the group, and transmitted by commercial partners). As it is, the company provides no tools for account holders to prevent such compilation, which thereby violates their fundamental rights and interests, including their right to respect for private life.

FACEBOOK transfers personal data to the United States on the basis of Safe Harbor, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015.

The last bullet point is particularly interesting. Although Facebook has stated to the media in other contexts that it uses model contracts and doesn’t rely upon Safe Harbor, it has failed to modify its Privacy Policy, which still says that it complies with the US-EU and US-Swiss Safe Harbor framework. This should be a cautionary tale to companies that continue to rely upon Safe Harbor and have not revised their privacy policies accordingly. Other Internet giants, such as Salesforce and Twitter, shifted to reliance upon model contracts shortly after the October 2015 CJEU ruling. The CNIL’s formal notice is also noteworthy for being the first significant action taken against a US company over data transfers under Safe Harbor. By keeping Safe Harbor open for business, the US Dept. of Commerce remains complicit in similar violations of European law by US companies.According to Fortune, the larger challenge to Facebook in the CNIL notice is its clear opposition to the profiling of users, which could hammer the advertising giant’s business model and profits. Regulators in Belgium, the Netherlands, Spain and Hamburg have been working with the CNIL on these profiling issues and additional enforcement actions directed against Facebook can be anticipated from them as well.Facebook's response to the CNIL order? A spokesperson was quoted as saying "We are confident that we comply with European data protection law and look forward to engaging with the CNIL to respond to their concerns." Such confidence, ill-advised and arrogant, hardly reflects well upon the acuity of Facebook's legal team if taken at face value.